Exploit lets websites bombard visitors’ PCs with gigabytes of data

Chrome, IE, and Safari trick could become new form of Rick Roll.

A Web developer has demonstrated a simple-to-execute exploit that allows websites to surreptitiously bombard visitors' storage devices with gigabytes of junk data.

As its name suggests, FillDisk.com loads an almost unlimited amount of data onto hard drives of people who access the site. It requires no user interaction and works with the Google Chrome, Microsoft Internet Explorer, and Apple Safari browsers. It adds 1GB of data every 16 seconds on a MacBook Pro Retina equipped with a solid state drive, according to Feross Aboukhadijeh, the Web developer and computer science grad student who created the proof-of-concept site.

FillDisk.com manipulates the Web Storage standard included in the HTML5 specification. This standard is designed to make websites easier to use by allowing them to store data on visitors' hard drives. The functionality can be useful when end users are filling out long forms; if the browser crashes before the form has been completed, the data that's already been entered will be available when the person visits the site later. The creators of the standard specifically warn that browser developers should take steps to ensure websites can't abuse the feature by writing unlimited amounts of data.

Indeed, Chrome, IE, and Safari limit the amount of data that can be downloaded, but the restriction is placed on subdomains rather than the upper-level domain to which they belong. FillDisk.com works by directing subdomains such as 1.filldisk.com, 2.filldisk.com, and so on to each send the maximum amount allowed. Of the browsers Aboukhadijeh tested, only Mozilla Firefox capped the download amount. The exploit is simple to implement. Additional details are here and the source code is here.

To be fair to the developers of the affected browsers, the exploit doesn't appear to expose private data or permit the remote execution of malicious code. Compared to many vulnerabilities, the weakness abused by FillDisk.com seems minor. Still, it's not hard to imagine someone e-mailing malicious links to a large number of people just to get a rise. In addition to filling up the receivers' hard drives with data, the exploit can cause some versions of Chrome to crash.

Chrome developers responding to Aboukhadijeh's bug report seemed to agree that the behavior isn't ideal. "There is a SHOULD recommendation in the HTML specification suggesting that UAs guard against this behavior," one wrote. "Firefox seems to implement this, we do not."

In Chrome localStorage is held in memory and is not written to disk (at least when using Incognito Mode). You can verify this by opening the task manager before opening the site and watch the memory usage going up.

That will be the reason for crashing at about 2 GB (memory limit for 32 bit applications).

You can't just treat all second-level domains as being related. Because you've got domains like .co.uk.

In other words, you want to stop 1.filldisk.com, 2.filldisk.com, 3.filldisk.com... from each taking up 10MB. But you want to allow amazon.co.uk, microsoft.co.uk and google.co.uk to each be able to take the full 10MB. The rules will get complicated quickly if all you want to test is the domain name. (Obviously, I'm assuming a browser-defined limit of 10MB in this case. It varies by browser.)

Better to look at patterns of usage. The browser shouldn't bother testing anything until usage or rate of change gets large. Then it could do some basic parsing of what's happening and throw a dialog box up to the user "filldisk.com is using over 1GB of your disk space and wants to use more. Allow?"

You can't just treat all second-level domains as being related. Because you've got domains like .co.uk.

In other words, you want to stop 1.filldisk.com, 2.filldisk.com, 3.filldisk.com... from each taking up 10MB. But you want to allow amazon.co.uk, microsoft.co.uk and google.co.uk to each be able to take the full 10MB.

You can't just treat all second-level domains as being related. Because you've got domains like .co.uk.

In other words, you want to stop 1.filldisk.com, 2.filldisk.com, 3.filldisk.com... from each taking up 10MB. But you want to allow amazon.co.uk, microsoft.co.uk and google.co.uk to each be able to take the full 10MB.

Couldn't a WHOIS be part of those rules?

Too many domains show up on WHOIS as Network Solutions, Go Daddy, various brand management firms, etc.

You can't just treat all second-level domains as being related. Because you've got domains like .co.uk.

What. .co.uk is just another ccTLD. A site is still going to be in the form subdomain.domain.TLD|ccTLD, and handling that is something already done everywhere. No, the issue is when subdomains are actually "separate" sites. Some web hosts or service providers offer something along the lines of yourname1.domain.com, and that will in fact be an entirely independent site vs othername2.domain.com. Each one should potentially get its own space. Intranet sites are another important use case where users/IT might want to allocate an internal business webapp much more space then average.

But only potentially, maybe the sane simple solution is to just say "one domain, one chunk" and people who won't spend the $7/year or whatever to get their own domain just have to suck it up and deal without that particular HTML5 feature. Browsers could also offer whitelists and the like. At the very least though, some overall sanity check quantity should probably be a preference. "Don't let the browser use more then N gigs total, start throwing away data LIFO when it gets hit." That'd at least serve to keep the lid on the amount of mischief possible.

FillDisk.com manipulates the Web Storage standard included in the HTML5 specification. This standard is designed to make websites easier to use by allowing them to store data on visitors' hard drives.

I always turn this off. I've lived my life this long without that 'convenience' and I think I can continue to do so for as long as I don't trust unknown people at the other end of my Internet connection.

Of the browsers Aboukhadijeh tested, only Mozilla Firefox capped the download amount.

I have no idea which version of Opera he tested. I got a prompt at the 75MB limit for the sum of all subdomains of a domain in my config - which I was not aware of before!Getting a prompt and being able to make exceptions and raise the limit on a per domain basis seems to be as good as it needs to be to me.

In addition to the amusing music and graphics, I watched memory usage climb to a bit over 2GB before *all* of Chrome crashed - not just the tab as I expected. I did have it open in "Incognito Mode" so that it used memory instead of disk space.

Damn, affects IE10 on Windows Phone too. Albeit, at a much slower rate than Desktop, but that could because my phone was already pretty full to begin with.

EDIT: It only seems to work up to a point in IE10 (on Desktop, dunno how it far it went on mobile). I was watching my disk space. I noticed changes for less than a gig, then free space stopped shrinking.

Of the browsers Aboukhadijeh tested, only Mozilla Firefox capped the download amount.

I have no idea which version of Opera he tested. I got a prompt at the 75MB limit for the sum of all subdomains of a domain in my config - which I was not aware of before!Getting a prompt and being able to make exceptions and raise the limit on a per domain basis seems to be as good as it needs to be to me.

Yeah, I think it depends on your preferences. Just now when I tested it I got the same results you did, but when I tested it earlier on a different computer it asked before downloading anything at all. That computer is less robust than this one, and has different settings for history and disk cache, so I'm guessing it was something to do with that (could be automated on Opera's part, but I doubt that).

You can't just treat all second-level domains as being related. Because you've got domains like .co.uk.

What. .co.uk is just another ccTLD. A site is still going to be in the form subdomain.domain.TLD|ccTLD, and handling that is something already done everywhere.

What?

I know there are people on here who know more about this than I do, but my understanding is that .uk is the ccTLD and .co.uk is an SLD no different than any other SLD. Well, it's used differently than a typical SLD, but from an Internet topology perspective, you'd have to hard-code the browser to know the difference between .co.uk and .filldisk.com.

It is not infinite. I tried it in every browser for as long as it would go and tried to see what would happen. Chrome crashed at around 2GB (because the data is stored in RAM and not on disk) and in IE, the amount stopped at about 8GB. The counter went up into infinity, but my hard drive space did not decrease any longer. Just an FYI to the creator of the article that it's not as serious as thought. (I also tried it on my Windows Phone and it worked for about 2GB too)

I'm using IE10 on Windows 8 and I let it run until it said it claimed nearly 5 GB of my hard disk space. Was watching my drive usage and resource monitor. While it was running and I saw a lot of disk activity, my used space on my HDD only increased by maybe 1 GB. It wasn't even filling up my RAM. Not sure what that means. FWIW I'm on RAID0 with two SSD hybrid drives. Is there some sort of redundancy check? Or maybe IE10 really does handle this relatively sanely in some cases?

what about .gov.ccTLD sites? gov.uk, gov.il, etc.gov.ccTLD is not a TLD, gov is a SLD such as how google is the SLD of google.com.so would all "gov" also share the same 10mb?

and also Canada,each province has a SLD, so bc.ca, on.ca, .qc.ca, which are further divided for each government such as gov.bc.ca, gov.on.ca, etc.. and the federal gov uses gc.cawould they be all forced to share?

I agree, this seems a bit more complicated to solve than first thought.and yes I realize that gov sites probably wont use the local storage, but it makes for a good example how complicated this matter really is.

How about making a global limit, keeping the rest of the functionality as-is, and having it setup like a FIFO manner?

This is a problem that both the browser developers and web developers are responsible for. The browsers should enforce reasonable limits on what a site can store while web developers should use the feature as it is intended. The feature is not intended to store the "Great American Novel" on users computers.